Lessons from the EU–Japan mutual adequacy arrangement
Dechert London partner Paul Kavanagh and associate Dylan Balbirnie assess what the recent EU–Japan adequacy deal demonstrates about the European Commission’s approach to adequacy.
The GDPR restricts the transfer of personal data from the EU to non-EU countries; such transfers are only permitted in specified circumstances. One such circumstance is where the European Commission has made a decision that the destination country has an adequate regime for the protection of personal data. Adequacy decisions allow organisations to export personal data from the EU without the need to obtain consent from data subjects and without having to put in place specified safeguards such as standard contractual clauses or binding corporate rules. The GDPR indicates that an adequacy decision should only be made where the level of protection of personal data in the non-EU country is “essentially equivalent” to that ensured in the EU.
The European Commission has previously made 12 adequacy decisions that recognise the adequate level of protection provided by non-EU jurisdictions such as Switzerland, New Zealand and the US (for organisations affiliated with the Privacy Shield framework).
On 23 January 2019, a further step was taken to streamline flows of personal data between EU and non-EU countries. The European Commission adopted an adequacy decision on the transfer of personal data to Japan, while an equivalent decision was adopted by the Personal Information Protection Commission (PPC), Japan’s national data protection authority. According to the European Commission, these mutual decisions create the world’s largest area for safe personal data flows.
The agreement, along with the EU-Japan Economic Partnership Agreement (EPA), which came into force on 1 February 2019, is intended to further strengthen the trading relationship between the EU and Japan, and builds upon a joint declaration made in July 2017 by the Japanese Prime Minister Shinzo Abe and the European Commission President Jean-Claude Juncker, to continue to facilitate data exchanges by ensuring a common level of protection. The EPA is reported to be the largest bilateral trade deal (in terms of market size) ever made by the EU. According to the European Commission’s press release, the EPA removes 97% of Japanese tariffs on EU goods and 99% of EU tariffs on Japanese goods, saving an estimated €1 billion in duties for EU companies. The resulting greater volume of trade will inevitably necessitate greater volumes of data flow. Restrictions on the export of personal data can be a significant additional hindrance to trade; the EPA and the mutual adequacy decisions complement each other, with the common aim of removing barriers to EU–Japan trade.
Japan’s data protection framework
The Act on the Protection of Personal Information (APPI) is Japan’s primary data protection legislation. The APPI fortifies and particularises the right to privacy and data protection deriving from article 13 of Japan’s constitution.An amended version of the APPI came into force in May 2017, strengthening Japan’s data protection regime and paving the way for an EU adequacy decision. The PPC enforces the law. It acts on a neutral and independent basis, and has published detailed guidelines that sit alongside the APPI.
Meeting the EU’s adequacy standards
The European Commission reviewed the core obligations provided by the GDPR and assessed the extent to which the Japanese regime conferred equivalent protections. Although the existing legal framework in Japan is relatively comprehensive in light of the 2017 APPI amendments, the European Commission considered that there were several limitations. The EU decision addresses these limitations by restricting the scope of the decision’s application; and Japan has implemented a set of supplementary rules to the APPI that apply only to personal data transferred from the EU to Japan.
The APPI only applies to “personal information handling business operators”. As such, the European Commission’s adequacy decision is expressly limited to personal data transferred to personal information handling business operators. The recitals to the adequacy decision make clear that this is a broad category that includes both for-profit and not-for-profit activities by all kinds of organisations and individuals. Government and administrative agencies, however, are not personal information handling business operators.
In addition, certain types of data use by certain types of organisations – such as the press, academic establishments, writers, religious bodies and political bodies – are expressly excluded from the APPI’s scope. The EU adequacy decision similarly excludes transfers of personal data from the EU to such organisations.
While the vast majority of exports of personal data from the EU to private organisations in Japan will be covered by the adequacy decision, EU businesses should be wary that it may not apply to every EU–Japan transfer.
Categorising EU-derived personal data
The Japanese regime puts information into several categories to which different obligations apply (“personal information”, “personal data”, “retained personal data”, “special care required personal information”, “anonymously processed personal information”). This categorisation has required amendments for EU-derived personal data to ensure that it is appropriately protected in Japan.
- The APPI applies a lighter-touch regime to personal data that is set to be deleted within six months, and is therefore not “retained personal data”. In the EU, rights and obligations in respect of personal data do not depend on the data’s retention period. As a consequence, under the ordinary Japanese rules a transfer from the EU to Japan of personal data that is intended to be deleted within six months would result in the data subject losing rights in respect of that data. To address this concern, Japan has imposed a supplementary rule requiring personal data transferred from the EU to be treated as “retained personal data” – the lighter-touch regime will not apply.
- Particularly stringent obligations under the APPI and the GDPR apply to certain categories of data that are deemed particularly sensitive, such as medical and racial data. The APPI refers to this as “special care required personal information”. However, while under the GDPR these special categories of data include sex life, sexual orientation and trade union membership, the APPI does not treat these specially. To align the treatment of such categories of data in Japan with their treatment in the EU, a supplementary rule requires data relating to sex life, sexual orientation and trade union membership from the EU to be treated as if it were “special care required personal information”.
- Under the GDPR, data is only anonymised – such that it is no longer personal data and falls outside the scope of the GDPR – if the anonymisation is irreversible. In Japan, however, data can be treated as “anonymously processed personal information” even if it is possible to reverse the anonymisation. The supplementary rules bring the Japanese rules on anonymisation closer to those under the GDPR for personal data that originates from the EU. Under Supplementary Rule 5, it must be impossible to reidentify an individual for EU data to be taken out of the APPI’s general rules
New uses of personal data
The European Commission expressed concern that under the APPI, an organisation that receives personal data from another organisation (rather than the data subject themselves) could process personal data for purposes other than the purpose for which that personal data was originally collected from the data subject. Japan has therefore implemented a supplementary rule requiring businesses that handle personal data from the EU to obtain consent from the data subjects before processing the personal data for a new purpose.
The APPI includes restrictions on the transfer of personal data to countries outside Japan. Consent from data subjects is often necessary to legitimise such transfers. The GDPR has stringent requirements for consent to be valid, including that sufficient information is provided to the data subject so that individuals can make informed decisions whether to provide their consent. For onward transfers of personal data originating from the EU, Supplementary Rule 4 requires additional information to be provided to data subjects, bringing the consent closer to the EU standard.
A key concern of the European Commission is the extent to which public authorities can access and use personal data for the prevention of crime and national security purposes. Excessive access by public authorities was a major factor in the European Court of Justice’s invalidation of the EU–US Safe Harbour framework.
The Japanese government has given assurances that only necessary and proportionate access to personal data from the EU would be permitted for criminal law enforcement and national security purposes. It has also introduced a complaints-handling mechanism to investigate and resolve EU data subject complaints relating to Japanese public authorities’ access to their data.
The adequacy decision will ease the GDPR compliance burden for companies that transfer data to Japan.
However, the supplemental rules create a different system within the Japanese regime in respect of personal data deriving from the EU. Organisations handling EU-originating personal data in Japan will have to take care to distinguish between multiple different categories of personal data. The European Commission refers in particular to the need to ensure that EU-originating personal data can be identified throughout its life cycle by technical measures (such as tagging) or organisational measures (storing in a dedicated database). This serves as an additional overlay over the numerous categories already present under the APPI. While the adequacy decision makes the transfer to Japan easier from a GDPR-compliance perspective, many organisations in Japan will find the new regime for processing EU-originating data burdensome.
The supplemental rules indicate the areas in which Japan’s regime significantly differs from the GDPR, but also provide insight into the issues that are of particular concern to the European Commission more generally. The European Commission was concerned to ensure that personal data that would be caught by the GDPR would be within the scope of Japan’s data protection regime – but it appears to have been somewhat more forgiving of differences in specific rights and obligations.
Provided that there are broadly equivalent rights and obligations under a country’s data protection framework, the European Commission appears not to require close equivalence when it comes to the enforcement regime. Under the APPI, the maximum fine that can be levied is generally 300,000 yen (€2,400). That amount pales in comparison with the GDPR’s penalties, which can reach the higher of €20 million or 4% of annual global turnover. In practice, the effectiveness of a country’s enforcement regime may be a more important factor in ensuring general adequate protection for EU-originating personal data than specific legislative provisions. It therefore seems that a country implementing GDPR-style rights and obligations coupled with a less oppressive enforcement regime could potentially be sufficient for it to be deemed adequate, while maintaining a business-friendly framework.
The European Commission placed considerable reliance on the PPC’s regulatory guidelines in its analysis of Japan’s regime. The guidelines played a significant role in bridging several apparent differences between the APPI and the GDPR. Regulatory guidelines can therefore be seen as a relatively flexible tool to align data protection laws with the GDPR without the need for legislation. Importantly in the case of Japan, the PPC provided information to demonstrate the authoritative nature of its guidelines. In particular, the PPC highlighted that it was not aware of any instance where a Japanese court had diverged from its guidelines.
It is apparent that there was significant political will to reach an adequacy decision in respect of Japan to coincide with the EPA and Japan’s reciprocal decision in respect of the EU. This political climate provides important context for the extent to which the European Commission was willing to rely on the PPC’s guidelines and adopt expansive interpretations of the APPI to enable it to conclude that the Japanese regime provides equivalent protection.
Copyright © Law Business ResearchCompany Number: 03281866 VAT: GB 160 7529 10